OneLogin OTP for Windows Desktop

Using multiple authentication factors is an effective way of preventing someone from accessing your sensitive data even if they manage to get hold of your username or password. OneLogin OTP for Windows Desktop is a free Windows solution that allows desktop users to submit one-time passwords with the push of a button.

Deployment Requirements

The OneLogin OTP application currently only supports a per-user install and securely stores OTP credentials in the user's registry hive during first-run. The OTP application does not require elevated privileges (UAC) and can be installed and run as a normal user.

Each user must have access to the Windows installer package when running the application for the first time. It is recommended that the installer be published to a Window share that is accessible by all OTP users

OneLogin only supports one OTP credential per user account. Active Directory domain roaming profiles must be configured for domain users that need to logon to multiple computers and have access to OneLogin.

OneLogin strongly recommends that the OTP application be deployed on an operating system with drive encryption for the OS, such as BitLocker. The OTP application relies on the windows security subsystem to protect the OTP credential. Technologies such as BitLocker help to ensure the OS is protected from offline attacks.

For more information on BitLocker, see

http://technet.microsoft.com/en-us/library/cc732774.aspx

Enabling OneLogin OTP for your OneLogin Account

In order to use OneLogin OTP for Windows Desktop, an admin has to turn on OneLogin Protect for the OneLogin Account. Go to Security -> Authentication Factors. Click New Auth Factor and choose OneLogin Protect from the authentication factor list and provide it with an appropriate display name.

Setting the OneLogin OTP Policy

Users of OneLogin OTP for Windows Desktop must be attached to a security policy that has MFA enabled and OneLogin Protect selected (the display name could be different depending on how the above task was completed).

Go to Security -> Policies.

Click New User Policy to create a new policy, or click an existing user policy row to add the OTP requirement to an existing policy.

Go to the MFA tab, and select OneLogin Protect (the display name could be different depending on how the above task was completed).

(Optional) If you want MFA to be required for all users (excluding those defined in the next step), select the OTP Auth Required checkbox.

(Optional) Define the users and locations that require OTP authentication.

For example, you can bypass OTP for certain IP addresses, apply it to admins only, apply it at every login or only for unknown browsers, and define session lengths. For more information, see User Policies.

Installing the OTP App

To install the Windows OTP app, download the OneLoginDesktopOTP.msi file, which you can find at the top of this article. Log into your profile and launch the installer. Once installed, OneLogin OTP can be launched from the Start Menu. Upon first launch the app will display a device credential that you can use to register the app with your OneLogin account.

Registering the OTP App

If a user is under a security policy that requires OTP for all users, the user will be prompted to register their OneLogin OTP app at the first successful login attempt. This requires having the app installed on their Windows desktop and entering the Credential ID (device ID) and two consecutive Security Codes.

Users can also register the app by going to their profile menu, selecting Profile, and clicking the plus + sign in the 2-Factor Authentication section of their Profile page.

Providing OTP code at login

Once the OTP app is registered, users will be prompted for the OTP code upon logging in to OneLogin, after they enter their Email and Password. The user can enter it manually or push the send button.